Microsoft’s May Patch Tuesday fixes include two critical remote code-execution vulnerabilities, both of which are under active attack.
The most serious of the two is tied to a Windows 10 VBScript engine and can be triggered when a victim visits a malicious website.
“A user need only visit a malicious website to have attacker-control code execute on their machine,” according to Microsoft’s description of the bug (CVE-2018-8174). The flaw could also be used in conjunction with a malicious ActiveX control marked “safe for initialization” in an app, Office Doc or within IE’s rendering engine, Microsoft said.
The second bug under active exploit is an elevation of privilege vulnerability (CVE-2018-8120) impacting a Windows Win32k component. “An attacker who successfully exploited this (Win32k) vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights,” according to Microsoft.
The Win32k subsystem is juicy target for attackers and typically used to escape a system sandbox because of its large attack surface and its 1,200 APIs. Both Windows 7 (32/64-bit) and Server 2008 R2 are vulnerable to the Win32k bug.
In total, Microsoft’s May Patch Tuesday roundup included 68 security patches, with 21 listed as critical, 45 rated important and two listed low in severity.
“Browser bugs are again in the spotlight with 17 critical- and seven important-rated browser vulnerabilities patched this month,” wrote ZDI researchers in the company’s Patch Tuesday commentary. “There are also quite a few Office-related patches for May, with the most important being those for Outlook and SharePoint.”
Also receiving patches this month is Microsoft’s Hyper-V hypervisor software, used to manage multiple virtual machines. According to Gill Langston, in Qualys’ Patch Tuesday commentary, the two Hyper-V bugs could enable a guest operating system to compromise the host. “CVE-2018-0961 addresses abuse of vSMB packets, while CVE-2018-0959 could allow arbitrary code execution on the host from a guest OS,” he said.
He added, “While the vulnerabilities are rated as exploitation less likely, it may be time to deploy Hyper-V updates as it has been getting more updates.”
Part of Microsoft’s May Patch Tuesday CVE roundup also includes two official “public disclosures.” According to Chris Goettl, director of product management at Ivanti, these type of disclosures are for when a “vulnerability has been identified, and there is enough proof-of-concept code or documentation regarding how the vulnerability works that a threat actor has an advantage on creating an exploit before companies will have a chance to push an update.”
Microsoft lists one of them as CVE-2018-8141, impacting Windows 10 and Windows Server (version 1709). “[The bug] is an information disclosure vulnerability in the Windows Kernel that could allow an attacker to gain additional information to further compromise the system,” the software giant said.
The second is a Windows image elevation of privilege vulnerability, (CVE-2018-8170), tied Windows 10 and Windows Server (version 1709), which could allow for an attacker to carry out an elevation-of-privilege attack against affected systems. In both cases, an attacker would need to have logged on or gained locally authenticated access to the system to exploit, according to Goettl.